A method and related device for suppressing attack behavior in a vehicle internet

By monitoring the request rate and historical attack count of vehicle network nodes, adjusting the token bucket capacity, and combining this with a trust scoring mechanism, the problem of malicious attacks in vehicle ad hoc networks was solved. This enabled rapid identification and suppression of high-load attacks, ensuring the security and reliability of vehicle networks.

CN122394862APending Publication Date: 2026-07-14BEIHANG UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIHANG UNIV
Filing Date
2026-04-16
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Vehicle-mounted ad hoc networks are vulnerable to malicious attacks, which can disrupt the spread of false information and the trust assessment process, affecting the real-time nature and reliability of emergency response.

Method used

By monitoring the request rate and historical attack count of the target node within the current time window, the token bucket capacity is adjusted to limit the request rate, and combined with a trust scoring mechanism, high-load attack behavior is identified and suppressed.

Benefits of technology

It can quickly and accurately identify high-load attacks, dynamically adjust the token bucket capacity, suppress attack behavior, and ensure the security and reliability of vehicle-mounted ad hoc networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394862A_ABST
    Figure CN122394862A_ABST
Patent Text Reader

Abstract

The application provides a method and related equipment for suppressing attack behavior in Internet of Vehicles. The request rate of a target node in a current time window is determined according to the total number of requests of the target node in the current time window and the length of the time window, wherein the target node belongs to Internet of Vehicles. When the request rate of the target node in the current time window is greater than a request rate threshold, it is determined that the target node has a high-load attack behavior. When the target node has a high-load attack behavior, the token bucket capacity of the target node is adjusted according to the historical number of attacks. Through the request rate of the target node in the current time window, whether the target node has a high-load attack behavior is quickly and accurately identified, and when the target node has a high-load attack behavior, the token bucket capacity of the target node is adjusted to dynamically limit the request rate of the target node, so that the defense purpose of suppressing attack behavior in Internet of Vehicles is achieved, and the safety of vehicle ad hoc network is ensured.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of vehicle networking, and more specifically, to a method and related equipment for suppressing attack behavior in vehicle networking. Background Technology

[0002] As a crucial component of smart cities, intelligent connected vehicles are enabling real-time information exchange between vehicles and between vehicles and roadside infrastructure through Vehicle Ad Hoc Networks (VANETs). Real-time information exchange is essential for improving traffic efficiency, ensuring driving safety, and achieving efficient emergency response in smart cities. In emergency response scenarios, the timeliness, accuracy, and reliability of information directly affect response speed and effectiveness. Therefore, ensuring the high reliability of vehicle nodes participating in information exchange is a core foundation for building a reliable emergency response system for smart cities.

[0003] However, the inherent openness, decentralization, and high-speed mobility of vehicular ad hoc networks (VANs) make them highly vulnerable to malicious attacks. Malicious vehicle nodes may disrupt traffic by spreading false information or undermine the overall security of the system by manipulating the trust assessment process. These attacks can have catastrophic consequences in emergency response scenarios, such as misleading rescue vehicles, delaying critical response times, or even causing secondary accidents. Accurately and quickly detecting and defending against these attacks is a crucial aspect of ensuring the security of VANs and a challenging issue of concern to those skilled in the art. Summary of the Invention

[0004] The purpose of this invention is to provide a method and related equipment for suppressing attack behavior in the Internet of Vehicles (IoV) to improve the above-mentioned problems.

[0005] To achieve the above objectives, the technical solutions adopted in the embodiments of the present invention are as follows: In a first aspect, embodiments of the present invention provide a method for suppressing attack behavior in a vehicle network, the method comprising: The request rate of the target node in the current time window is determined based on the total number of requests to the target node in the current time window and the length of the time window, wherein the target node belongs to the Internet of Vehicles. When the request rate of the target node exceeds the request rate threshold within the current time window, it is determined that the target node has engaged in a high-load attack. When a high-load attack occurs on the target node, the token bucket capacity of the target node is adjusted according to the number of historical attacks.

[0006] Secondly, embodiments of the present invention provide an attack behavior suppression device in a vehicle network. The device includes: The first processing unit is used to determine the request rate of the target node in the current time window based on the total number of requests to the target node in the current time window and the length of the time window, wherein the target node belongs to the Internet of Vehicles. The first processing unit is further configured to determine that the target node has engaged in a high-load attack when the request rate of the target node within the current time window is greater than the request rate threshold; The second processing unit is used to adjust the token bucket capacity of the target node based on the number of historical attacks when the target node experiences a high-load attack.

[0007] Thirdly, embodiments of the present invention provide a storage medium having a computer program stored thereon, which, when executed by a processor, implements the above-described method.

[0008] Fourthly, embodiments of the present invention provide an electronic device, the electronic device comprising: a processor and a memory, the memory being used to store one or more programs; when the one or more programs are executed by the processor, the above-described method is implemented.

[0009] Compared to existing technologies, the present invention provides a method and related equipment for suppressing attacks in a vehicle-to-everything (V2X) network. This method determines the request rate of a target node within a current time window based on the total number of requests made by the target node within that time window and the length of the time window. The target node is considered to be part of the V2X network. When the request rate of the target node within the current time window exceeds a request rate threshold, it is determined that the target node is engaging in a high-load attack. When a high-load attack occurs, the token bucket capacity of the target node is adjusted based on historical attack counts. By quickly and accurately identifying whether a target node is engaging in a high-load attack through its request rate within the current time window, and dynamically limiting the request rate of the target node when a high-load attack occurs, the method aims to suppress attacks in the V2X network and thus ensure the security of the vehicle-mounted ad hoc network.

[0010] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, preferred embodiments are described below in detail with reference to the accompanying drawings. Attached Figure Description

[0011] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention and should not be regarded as a limitation on the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0012] Figure 1This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention.

[0013] Figure 2 This is one of the flowcharts illustrating the method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention.

[0014] Figure 3 This is the second flowchart illustrating the method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention.

[0015] Figure 4 This is the third flowchart illustrating the method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention.

[0016] Figure 5 This is the fourth flowchart illustrating the method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention.

[0017] Figure 6 The fifth flowchart illustrates the method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention.

[0018] Figure 7 This is the sixth flowchart illustrating the method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention.

[0019] Figure 8 This is the seventh flowchart illustrating the method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention.

[0020] Figure 9 This is the eighth flowchart illustrating the method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention.

[0021] Figure 10 This is a schematic diagram of a unit for an attack behavior suppression device in a vehicle network provided in an embodiment of the present invention.

[0022] In the diagram: 10-Processor; 11-Memory; 12-Bus; 13-Communication interface; 701-First processing unit; 702-Second processing unit. Detailed Implementation

[0023] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. The components of the embodiments of the present invention described and shown in the accompanying drawings can generally be arranged and designed in various different configurations.

[0024] Therefore, the following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely to illustrate selected embodiments of the invention. All other embodiments obtained by those skilled in the art based on the embodiments of the invention without inventive effort are within the scope of protection of the invention.

[0025] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this invention, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.

[0026] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0027] In the description of this invention, it should be noted that the terms "upper," "lower," "inner," "outer," etc., indicate the orientation or positional relationship based on the orientation or positional relationship shown in the accompanying drawings, or the orientation or positional relationship in which the product of this invention is usually placed when in use. They are only for the convenience of describing this invention and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation. Therefore, they should not be construed as limiting this invention.

[0028] In the description of this invention, it should also be noted that, unless otherwise explicitly specified and limited, the terms "set" and "connection" should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral connection; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; and they can refer to the internal connection of two components. Those skilled in the art can understand the specific meaning of the above terms in this invention based on the specific circumstances.

[0029] The following detailed description of some embodiments of the present invention is provided in conjunction with the accompanying drawings. Unless otherwise specified, the following embodiments and features can be combined with each other.

[0030] This invention provides an electronic device as an edge access point for a vehicle-to-everything (V2X) network, which can be a computer device, a mobile phone device, or a gateway device. Please refer to... Figure 1 This is a schematic diagram of the structure of an electronic device. The electronic device includes a processor 10, a memory 11, and a bus 12. The processor 10 and the memory 11 are connected via the bus 12. The processor 10 is used to execute executable modules, such as computer programs, stored in the memory 11.

[0031] Processor 10 can be an integrated circuit chip with signal processing capabilities. During implementation, each step of the attack suppression method in the vehicle-to-everything (V2X) network can be completed through the integrated logic circuits in the hardware of processor 10 or through software instructions. The processor 10 can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components.

[0032] The memory 11 may include high-speed random access memory (RAM) and may also include non-volatile memory, such as at least one disk storage.

[0033] Bus 12 can be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, or an EISA (Extended Industry Standard Architecture) bus, etc. Figure 1 The symbol is represented by a single double-headed arrow, but this does not mean that there is only one bus 12 or one type of bus 12.

[0034] The memory 11 is used to store programs, such as programs corresponding to attack suppression devices in vehicle-to-everything (V2X) networks. The attack suppression device in V2X networks includes at least one software functional module that can be stored in the memory 11 as software or firmware, or embedded in the operating system (OS) of the electronic device. Upon receiving an execution instruction, the processor 10 executes the program to implement the attack suppression method in V2X networks.

[0035] The electronic device provided in this embodiment of the invention may further include a communication interface 13. The communication interface 13 is connected to the processor 10 via a bus.

[0036] It should be understood that, Figure 1 The structure shown is only a partial schematic diagram of the electronic device; the electronic device may also include components that are larger than... Figure 1 The more or fewer components shown, or having the same Figure 1 The different configurations shown. Figure 1 The components shown can be implemented using hardware, software, or a combination thereof.

[0037] The method for suppressing attack behavior in the Internet of Vehicles provided in this embodiment of the invention can be applied to, but is not limited to, [various applications]. Figure 1 For the specific process of the electronic devices shown, please refer to [link / reference]. Figure 2 The methods for suppressing attack behavior in the Internet of Vehicles include: S11, S12 and S13, which are described in detail below.

[0038] S11. Determine the request rate of the target node within the current time window based on the total number of requests to the target node within the current time window and the length of the time window.

[0039] Among them, the target node belongs to the Internet of Vehicles (IoV). The target node can be any vehicle node in the IoV, or a vehicle node in the IoV that is initially identified as unreliable. The current time window can be a sliding time window, that is, a time window of a preset length before the current time point, which dynamically and smoothly reduces instantaneous fluctuation interference and identifies continuous high load attacks.

[0040] Optionally, the request rate of the target node within the current time window is calculated as follows:

[0041] in, This represents the request rate of the target node (node ​​j) within the current time window (an exponentially smoothed value of the number of requests per second in the current time window; used to suppress transient spikes and highlight sustained high loads). This indicates the request rate of the target node within the previous time window. The smoothing coefficient represents the smoothing properties (a larger coefficient indicates greater passivity, meaning it values ​​historical data and responds more slowly but is more stable; a smaller coefficient indicates greater sensitivity and faster tracking of the current window). The range of smoothing coefficient values ​​is [not specified]. ), This indicates the total number of requests to the target node within the current time window. Indicates the length of the time window.

[0042] S12, when the request rate of the target node in the current time window is greater than the request rate threshold, it is determined that the target node has engaged in high-load attack behavior.

[0043]

[0044] in, Indicates the request rate threshold. This represents the historical average request rate of the target node (within the most recent preset time period). This represents the historical standard deviation of the request rate for the target node (within the most recent preset time period).

[0045] S13: When a high-load attack occurs on the target node, adjust the token bucket capacity of the target node based on the number of historical attacks.

[0046] By adjusting the token bucket capacity of the target node, the request rate of the target node can be dynamically limited.

[0047] Optionally, the formula for calculating the token bucket capacity of the target node is:

[0048] in, This indicates the token bucket capacity of the target node. This represents the historical baseline request rate of the target node (the steady-state average of the target node's request rate over a recent period). This represents the attack count decay coefficient. This indicates the number of historical attacks initiated by the target node (i.e., the total number of historical requests). This indicates the minimum guaranteed capacity (to prevent complete disconnection in case of false positives). The more attacks there are, the larger the token bucket capacity becomes. Exponential tightening.

[0049] In the attack suppression method for the Internet of Vehicles provided in this embodiment of the invention, the high-load attack behavior of the target node is quickly and accurately identified by the request rate of the target node in the current time window. When a high-load attack behavior occurs, the token bucket capacity of the target node is adjusted to dynamically limit the request rate of the target node, thereby achieving the defensive purpose of suppressing attack behavior in the Internet of Vehicles and ensuring the security of the vehicle ad hoc network.

[0050] Please refer to Figure 3When the request rate of the target node in the current time window is greater than the request rate threshold, the attack behavior suppression method in the Internet of Vehicles also includes: S14, which is described in detail below.

[0051] S14. Based on the request rate of the target node in the current time window, adjust the overall trust weight of the target node in the next time window to achieve trust downgrading.

[0052] When a target node is deemed unreliable after its trust level is downgraded, the vehicle network does not need to respond to requests sent by the node, thereby achieving the defensive purpose of suppressing attack behavior.

[0053] Optionally, the formula for calculating the overall credibility weight of the target node in the next time window is:

[0054] in, This represents the overall credibility weight of the target node in the next time window (which decreases linearly as the real-time request rate exceeds the limit). This represents the overall credibility weight of the target node within the current time window. This indicates the request rate of the target node within the current time window. This represents the historical baseline request rate of the target node. It is a constant (a small constant to prevent the denominator from being zero and to control the gentleness of the descending slope).

[0055] The overall credibility weight of the target node in the next time window is used to calculate the global trust value in the next time window. The formula for the global trust value is:

[0056] in, This represents the global trust value of the vehicle-to-everything (V2X) network corresponding to the edge access point. This represents the overall credibility weight of the j-th node in the vehicle-to-everything (V2X) network. Indicates the filtering threshold. This represents the local trust score of the j-th node in the vehicle network.

[0057] Global trust score as indirect trust rating The reference factor for the calculation; Specifically, indirect trust scoring The formula is:

[0058]

[0059]

[0060]

[0061] in, Indicates indirect trust rating. This represents the global trust value of the vehicle-to-everything (V2X) network corresponding to the edge access point. Represents context-enhanced temporal features. This represents the normalized attention weight corresponding to the node and the i-th event in the global event set. This represents the feature vector of the i-th event. A geographic location vector representing the mapping of a node's location information. This represents the feature vector of the j-th event. This represents the similarity function.

[0062] It should be understood that indirect trust scoring Comprehensive trust score used to compute nodes Comprehensive trust score As a reference factor for judging the reliability of a node, when a node is unreliable, it is not necessary to respond to the requests sent by the node. Specifically, this involves a local trust score for the node. Direct Trust Rating and indirect trust rating The data is then integrated to obtain a comprehensive trust score. .

[0063] The process of trust downgrading can be understood as follows: after the overall credibility weight of the target node decreases in the next time window, the overall trust score of the target node in the next time window will decrease. The goal is to reduce [the number of attacks], thereby suppressing offensive behavior.

[0064] Please refer to Figure 4 In an optional implementation, the attack behavior suppression method in the Internet of Vehicles further includes: S21, S22, S23 and S24, which are described in detail below.

[0065] S21. Based on the request data of the target node in the current time window and the request data in the previous time window, determine the Hamming distance of the target node in the current time window.

[0066] Optionally, the Hamming distance of the target node within the current time window is calculated as follows:

[0067] in, This represents the Hamming distance (between 0 and 1) of the target node within the current time window (measuring the rate of change of the field). The table shows the maximum length of the requested data corresponding to the time window. This represents the i-th bit in the request data of the target node within the current time window. This represents the i-th bit in the request data of the target node within the previous time window.

[0068] S22, if the Hamming distance for multiple consecutive time windows is less than the distance threshold, it is determined that the target node has engaged in a fake location change attack.

[0069] Here, multiple consecutive time windows are from the tk-th time window to the t-th time window, where the t-th time window is the current time window, and the value of k can be, but is not limited to, 3. The distance threshold can be, but is not limited to, 0.1.

[0070] Calculating the Hamming distance of consecutively requested data measures the rate of change of data fields. To reduce computational costs, attackers may send repeated or fine-tuned data packets. A consistently low Hamming distance means that the requested content is being repeated or has only undergone minimal changes, which is a technique to reduce the computational cost of an attack.

[0071] S23, when the target node performs a fake change attack, the connection entropy of the target node in the next time window is estimated based on the connection entropy of the target node in the current time window and the average connection entropy of the group nodes in the vehicle network.

[0072] S24. Based on the connection entropy of the target node in adjacent time windows, adjust the indirect trust score of the target node in the next time window to achieve trust downgrading.

[0073] Indirect Trust Rating Comprehensive trust score used to compute nodes Comprehensive trust score As a reference factor for judging whether a node is reliable, when a node is unreliable, it is not necessary to respond to the requests sent by the node. The connection entropy recovery process synchronously improves the indirect trust score, that is, improves the node's collaborative credibility, and forms a positive incentive.

[0074] Optionally, the formula for the indirect trust score of the target node in the next time window is:

[0075]

[0076] in, This represents the indirect trust score of the target node in the next time window. This represents the indirect trust score of the target node within the current time window. This represents the connection entropy of the target node in the next time window (used to measure the diversity and balance of node connections / sessions; a larger value indicates a more diverse and even distribution of peers or sessions). This represents the connection entropy of the target node within the current time window. This represents the average connection entropy of a group of nodes in a vehicle-to-everything (V2X) network.

[0077] Please refer to Figure 5 In an optional implementation, the attack behavior suppression method in the Internet of Vehicles further includes: S31, S32 and S33, which are described in detail below.

[0078] S31, Determine the feature variation coefficient corresponding to the target node based on the sensitive noise-adding features uploaded by the target node.

[0079] Optionally, the formula for the feature variation coefficient corresponding to the target node is:

[0080] in, This represents the coefficient of variation (COP) of the feature corresponding to the target node. The standard deviation of the sensitive noise feature of the target node. The coefficient of variation represents the average value of the sensitive noise-adding features of the target node. Poisoning data usually has an abnormal distribution, and the coefficient of variation of the features can quantify the degree of deviation.

[0081] S32, if the coefficient of variation of the feature corresponding to the target node exceeds the coefficient of variation threshold, then it is determined that the target node has committed a first type of data poisoning attack.

[0082] The coefficient of variation threshold can be, but is not limited to, 2.5.

[0083] S33: When a first type of data poisoning attack occurs on the target node, the overall trust weight of the target node in the next time window is adjusted according to the feature variation coefficient to achieve trust downgrading.

[0084] Optionally, the formula for adjusting the overall credibility weight of the target node in the next time window based on the feature variation coefficient is as follows:

[0085] in, This represents the overall credibility weight of the target node in the next time window (which decreases linearly as the real-time request rate exceeds the limit). This represents the overall credibility weight of the target node within the current time window. This represents the feature variation coefficient corresponding to the target node; When the coefficient of variation of the feature corresponding to the target node exceeds the variation threshold (e.g., 2.0 in the formula), its weight in participating in federated aggregation (calculating the global trust value of the vehicle network) is restricted, that is, its comprehensive credibility weight feature coefficient of variation is restricted. The higher the value, the more significant the weight decay of the node in the federated aggregation.

[0086] Please refer to Figure 6 In an optional implementation, the attack behavior suppression method in the Internet of Vehicles further includes: S41, S42 and S43, which are described in detail below.

[0087] S41, calculate the similarity of the request content between the target node and other nodes in the vehicle network within the current time window.

[0088] Optionally, the formula for calculating the similarity of requested content is:

[0089] in, Indicates the similarity of the requested content. This represents the request content of the i-th node in the vehicle-to-everything (V2X) network within the current time window. The i-th node is not the target node. This represents the request content of the target node within the current time window. By quantifying request similarity, the Jaccard similarity of the request content of different nodes is calculated. Fake identities are usually controlled by the same attacker, and the request content is highly similar.

[0090] S42, if the similarity of the request content in multiple consecutive time windows is greater than the similarity threshold, it is determined that the target node has engaged in a coordinated Sybil attack.

[0091] Here, multiple consecutive time windows are from the tk-th time window to the t-th time window, where the t-th time window is the current time window, and the value of k can be, but is not limited to, 3. The similarity threshold can be, but is not limited to, 0.8.

[0092] This can be determined by whether the target node's request content similarity with the same node is greater than a similarity threshold in multiple consecutive time windows, or whether the target node's request content similarity with different nodes is greater than a similarity threshold in multiple consecutive time windows.

[0093] S43 applies a similarity penalty to all witch nodes in the vehicle network when the target node engages in a coordinated witch attack.

[0094] Among them, witch nodes include the target node and other nodes in the vehicle network whose request content is more similar to the target node than the similarity threshold.

[0095] Optionally, the formula for applying the similarity penalty is:

[0096]

[0097] in, This represents the safety gradient of the target node in the next time window after the update. It is obtained by subtracting components with directions similar to those of suspicious collaborating nodes, and is used to prevent being drawn in by collaborative poisoning. This represents the safety gradient of the target node within the current time window (the model gradient before purification). This represents the penalty intensity coefficient, which is directly proportional to the similarity of the request content. The larger the penalty intensity coefficient, the stronger the suppression of suspicious directions. This represents the model orientation similarity (cosine) between the target node and the kth witch node (excluding the target node). The closer it is to 1, the more consistent their update directions are, and the more likely they are collaborating. This represents the average request similarity metric. This represents the total number of witch nodes other than the target node.

[0098] Connect the target node to the set The content layer similarity was averaged to quantify the "overall tightness of collaboration." This is used to set the penalty intensity coefficient. The size, because the text explicitly states " "Proportional to the similarity of the requested content." This can be simplified to: (Set an upper limit) to quantify the principle of "the more similar they are, the heavier the penalty".

[0099] Please refer to Figure 7 In an optional implementation, the attack behavior suppression method in the Internet of Vehicles further includes: S51, S52 and S53, which are described in detail below.

[0100] S51, obtain the number of IPs associated with hardware verification information on the target node in the vehicle network within the IP monitoring period.

[0101] Hardware verification information can include fingerprint verification information, iris verification information, certificate verification information, etc.

[0102]

[0103] in, This indicates the number of associated IPs within the IP monitoring period. This indicates the k-th IP address associated only with the hardware verification information on the target node. This indicates the hardware verification information on the target node.

[0104] S52: When the number of associated IPs exceeds the IP count threshold, it is determined that the target node has engaged in identity spoofing attacks.

[0105] It should be understood that the frequency of IP address changes for normal devices is limited. The threshold for the number of IP addresses can be, but is not limited to, 5.

[0106] S53 updates the global blacklist based on the hardware verification information and associated IP address of the target node when an identity spoofing attack occurs on the target node.

[0107] The blacklist is broadcast via the Gossip protocol, forcing all edge nodes to synchronously clear the weight of the hardware verification information and its associated IP on the target node. In other words, the comprehensive trust weight corresponding to the hardware verification information and its associated IP on the target node is cleared to zero, immediately stripping it of its influence in aggregation and propagation.

[0108] The formula for updating the global blacklist is:

[0109] in, This indicates a global blacklist. This indicates the hardware verification information on the target node. This indicates the associated IP address for hardware verification information on the target node. This represents the overall credibility weight of the target node.

[0110] Please refer to Figure 8 In an optional implementation, the attack behavior suppression method in the Internet of Vehicles further includes: S61, S62 and S65, which are described in detail below.

[0111] S61. Determine the sensitivity based on the number of queries for sensitive fields and the total number of queries for the target node within the current time window.

[0112] Optionally, the formula for sensitivity is:

[0113] in, This indicates the sensitivity of the target node within the current time window. This indicates the number of times the target node's sensitive fields were queried within the current time window. This indicates the total number of queries performed on the target node within the current time window.

[0114] S62, when the sensitivity exceeds the sensitivity threshold, determines that the target node has engaged in reasoning attack behavior.

[0115] The sensitivity threshold can be, but is not limited to, 0.7. When the sensitivity exceeds the sensitivity threshold, it indicates that the attacker is trying to infer sensitive information through high-frequency queries, and it can be determined that the target node has engaged in reasoning attack behavior.

[0116] S65, when it is determined that the target node has engaged in inference attack behavior, sends a privacy budget adjustment instruction to the target node to change the noise intensity in the sensitive noise-added features transmitted by the target node.

[0117] The target node's obfuscation noise is linked to the privacy budget, and the noise intensity is dynamically adjusted to match the privacy budget. Changes in privacy budgets The lower the privacy requirement, the greater the response noise, which can disrupt reasoning attacks.

[0118]

[0119]

[0120]

[0121] in, This represents the i-th sensitive noise-adding feature. Let represent the i-th sensitive feature, x represent random noise, b represent the Laplace noise scaling parameter, Δ represent the data sensitivity, and ε be the target node's privacy budget in the baseline. Here, it is used as a priori, sampling according to a Beta(a,b) distribution to introduce randomness and robustness. The privacy budget ε determines the noise intensity. This represents the actual privacy budget allocated to the target node for adding noise after the privacy budget adjustment. This represents the average of sensitive data for the target node within the current time window. This represents the standard deviation of sensitive data for the target node within the current time window (adaptively scaled to the available privacy budget based on data dispersion), and the actual privacy budget. The lower the noise level (for high privacy requirements), the greater the noise level, and the more likely it is to disrupt reasoning attacks.

[0122] Please refer to Figure 9 In an optional implementation, the attack behavior suppression method in the Internet of Vehicles further includes: S63, S64 and S65, which are described in detail below.

[0123] S63, determine the current autocorrelation coefficient of the target node based on the request counts of the target node at each time point within the current time window.

[0124] Optionally, the current autocorrelation coefficient is calculated as follows:

[0125] in, This represents the current autocorrelation coefficient of the target node. This represents the request count of the target node at time point t within the current time window. This represents the request count of the target node at time point t-1 within the current time window. This represents the average request count for the target node within the current time window. Indicates the length of the current time window.

[0126] S64: When the current autocorrelation coefficient of the target node is less than the autocorrelation threshold, it is determined that the target node has engaged in a disruptive timing attack.

[0127] The autocorrelation threshold can be, but is not limited to, 0.3.

[0128] When the current autocorrelation coefficient of the target node is less than the autocorrelation threshold, it indicates that the attacker is deliberately disrupting the timing to cover up the pattern, thus confirming that the target node has engaged in a timing disruption attack.

[0129] S65, when it is determined that the target node has engaged in a time-disruption attack, sends a privacy budget adjustment instruction to the target node to change the noise intensity in the sensitive noise-adding features transmitted by the target node.

[0130] The attack suppression method for the Internet of Vehicles provided in this invention can effectively cope with the ever-evolving complex network attacks. It achieves accurate detection and suppression of multimodal attacks (DDoS, data poisoning, Sybil, inference attacks).

[0131] Please see Figure 10 , Figure 10 An attack behavior suppression device in a vehicle network is provided as an embodiment of the present invention. Optionally, the attack behavior suppression device in a vehicle network is applied to the electronic device described above.

[0132] The attack suppression device in the Internet of Vehicles includes: a first processing unit 701 and a second processing unit 702.

[0133] The first processing unit 701 is used to determine the request rate of the target node in the current time window based on the total number of requests of the target node in the current time window and the length of the time window, wherein the target node belongs to the Internet of Vehicles. The first processing unit 701 is also used to determine that the target node has engaged in a high-load attack when the request rate of the target node in the current time window is greater than the request rate threshold. The second processing unit 702 is used to adjust the token bucket capacity of the target node based on the number of historical attacks when a high-load attack occurs on the target node.

[0134] Optionally, the second processing unit 702 may execute S13, S14, S24, S33, S43, S53 and S65 as described above, and the first processing unit 701 may execute other steps in the above method embodiments.

[0135] It should be noted that the attack suppression device in the Internet of Vehicles provided in this embodiment can execute the method flow shown in the above-described method flow embodiment to achieve the corresponding technical effects. For the sake of brevity, any parts not mentioned in this embodiment can be referred to the corresponding content in the above-described embodiments.

[0136] This invention also provides a storage medium storing computer instructions and programs. When these instructions and programs are read and executed, they perform the attack suppression method for the Internet of Vehicles described above. The storage medium may include memory, flash memory, registers, or a combination thereof.

[0137] The following provides an electronic device that serves as an edge access point for a vehicle-to-everything (V2X) network. This electronic device can be a computer, a mobile phone, or a gateway device. Figure 1 As shown, the above-described method for suppressing attack behavior in the Internet of Vehicles (IoV) can be implemented. Specifically, the electronic device includes: a processor 10, a memory 11, and a bus 12. The processor 10 may be a CPU. The memory 11 is used to store one or more programs, which, when executed by the processor 10, execute the method for suppressing attack behavior in the IoV as described in the above embodiment.

[0138] In summary, the attack suppression method and related equipment provided by this invention in the Internet of Vehicles (IoV) determine the request rate of a target node within a current time window based on the total number of requests made by the target node within that time window and the length of the time window, wherein the target node belongs to the IoV network. When the request rate of the target node within the current time window exceeds a request rate threshold, it is determined that the target node has engaged in high-load attack behavior. When the target node engages in high-load attack behavior, the token bucket capacity of the target node is adjusted based on the number of historical attacks. By using the request rate of the target node within the current time window, it quickly and accurately identifies whether the target node has engaged in high-load attack behavior, and dynamically limits the request rate of the target node by adjusting the token bucket capacity when high-load attack behavior occurs, thereby achieving the defensive purpose of suppressing attack behavior in the IoV network and ensuring the security of the vehicle-mounted ad hoc network.

[0139] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

[0140] It will be apparent to those skilled in the art that the present invention is not limited to the details of the exemplary embodiments described above, and that the invention can be implemented in other specific forms without departing from its spirit or essential characteristics. Therefore, the embodiments should be considered in all respects as exemplary and non-limiting, and the scope of the invention is defined by the appended claims rather than the foregoing description. Thus, all variations falling within the meaning and scope of equivalents of the claims are intended to be included within the present invention. No reference numerals in the claims should be construed as limiting the scope of the claims.

Claims

1. A method for suppressing attack behavior in a vehicle-to-everything (V2X) network, characterized in that, The method includes: The request rate of the target node in the current time window is determined based on the total number of requests to the target node in the current time window and the length of the time window, wherein the target node belongs to the Internet of Vehicles. When the request rate of the target node exceeds the request rate threshold within the current time window, it is determined that the target node has engaged in a high-load attack. When a high-load attack occurs on the target node, the token bucket capacity of the target node is adjusted according to the number of historical attacks.

2. The method for suppressing attack behavior in the Internet of Vehicles as described in claim 1, characterized in that, When the request rate of the target node within the current time window exceeds the request rate threshold, the method further includes: Based on the request rate of the target node in the current time window, the overall trust weight of the target node in the next time window is adjusted to achieve trust downgrading.

3. The method for suppressing attack behavior in the Internet of Vehicles as described in claim 1, characterized in that, The method further includes: Based on the request data of the target node in the current time window and the request data in the previous time window, determine the Hamming distance of the target node in the current time window; If the Hamming distance for multiple consecutive time windows is less than the distance threshold, it is determined that the target node has engaged in a fake location change attack. When the target node performs a fake change attack, the connection entropy of the target node in the next time window is estimated based on the connection entropy of the target node in the current time window and the average connection entropy of the group nodes in the vehicle network. Based on the connection entropy of the target node in adjacent time windows, adjust the indirect trust score of the target node in the next time window to achieve trust downgrading.

4. The method for suppressing attack behavior in the Internet of Vehicles as described in claim 1, characterized in that, The method further includes: Based on the sensitive noise-added features uploaded by the target node, determine the feature variation coefficient corresponding to the target node; If the coefficient of variation of the feature corresponding to the target node exceeds the coefficient of variation threshold, it is determined that the target node has committed a first type of data poisoning attack. When the target node experiences a first type of data poisoning attack, the overall trust weight of the target node in the next time window is adjusted according to the feature variation coefficient to achieve trust downgrading.

5. The method for suppressing attack behavior in the Internet of Vehicles as described in claim 1, characterized in that, The method further includes: Calculate the similarity of the request content between the target node and other nodes in the vehicle network within the current time window; If the similarity of the request content in multiple consecutive time windows is greater than the similarity threshold, it is determined that the target node has engaged in a coordinated Sybil attack. When the target node engages in a coordinated Sybil attack, a similarity penalty is applied to all Sybil nodes in the vehicle network. Sybil nodes include the target node and other nodes in the vehicle network whose request content is more similar to the target node than a similarity threshold.

6. The method for suppressing attack behavior in the Internet of Vehicles as described in claim 1, characterized in that, The method further includes: Obtain the number of IPs associated with hardware verification information on the target node in the vehicle network within the IP monitoring period; When the number of associated IPs exceeds the IP count threshold, it is determined that the target node has engaged in an identity spoofing attack. When an identity spoofing attack occurs on a target node, the global blacklist is updated based on the hardware verification information on the target node and its associated IP.

7. The method for suppressing attack behavior in the Internet of Vehicles as described in claim 1, characterized in that, The method further includes: Sensitivity is determined by comparing the number of queries to sensitive fields with the total number of queries to the target node within the current time window. When the sensitivity exceeds the sensitivity threshold, it is determined that the target node has engaged in a reasoning attack. Alternatively, the current autocorrelation coefficient of the target node can be determined based on the request counts of the target node at each time point within the current time window; When the current autocorrelation coefficient of the target node is less than the autocorrelation threshold, it is determined that the target node has engaged in a disruptive timing attack. When it is determined that the target node has engaged in inference attack or time-disruption attack, a privacy budget adjustment instruction is sent to the target node to change the noise intensity in the sensitive noise-adding features transmitted by the target node.

8. A device for suppressing attack behavior in a vehicle network, characterized in that, The device includes: The first processing unit is used to determine the request rate of the target node in the current time window based on the total number of requests to the target node in the current time window and the length of the time window, wherein the target node belongs to the Internet of Vehicles. The first processing unit is further configured to determine that the target node has engaged in a high-load attack when the request rate of the target node within the current time window is greater than the request rate threshold; The second processing unit is used to adjust the token bucket capacity of the target node based on the number of historical attacks when the target node experiences a high-load attack.

9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the method as described in any one of claims 1-7.

10. An electronic device, characterized in that, include: Processor and memory, the memory being used to store one or more programs; When the one or more programs are executed by the processor, the method as described in any one of claims 1-7 is implemented.